Bazar Backdoor 🚪✴️

TrickBot trojan has survived the massive takedown operation! While the trojan is set to reboot its operations with a new bunch of backend infrastructure, the operators are making headway with another creation dubbed BazarLoader/BazarBackdoor.

BazarLoader is the newest preferred stealthy covert malware added to the TrickBot group toolkit arsenal. It came to the limelight in July when researchers were investigating a particular attack campaign against targets across the U.S. and Europe. BazarLoader consists of two components: a loader and a backdoor.

The malware uses legitimate file-sharing services, as well as phishing emails, as part of the infection chain. The group behind the malware takes advantage of certificate signing to evade antivirus and software products.

Key Strengths

  • BazarLoader’s strength lies in its stealthy core component and obfuscation capabilities. Such obfuscation qualities allow the crime group to maintain persistency on the host even if the third-party software gets detected by antivirus software. 
  • Moreover, the ingenious use of blockchain by BazarLoader operators displays their ability to abuse legitimate services for nefarious activities. 

Essence

Loaders are becoming an essential part of any cybercrime campaign. They start the infection chain by distributing the payload. In essence, they deploy and execute the backdoor from the C2 server and plant it on the victim’s machine.

BazarLoader demonstrates tha alarming trend. Furthermore, the abuse of legitimate services and digital signatures for obfuscation represents the widespread use of deception techniques